Security Advisory YSA-2021-04
Security Advisory – Input validation issues in libyubihsm
The YubiHSM library that is included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests and some data operations received from the YubiHSM 2.
The yubihsm-shell project is included in the YubiHSM 2 SDK product. Release version 2021.08 and prior of the SDK are affected. Note that several components included in the SDK depend on the YubiHSM library from the yubihsm-shell project. YubiHSM, YubiHSM 2, YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are not impacted.
How to tell if you are affected
Check the version of yubihsm-shell:
$ yubihsm-shell --version
If you have yubihsm-shell version 2.2.0 (included in the YubiHSM 2 SDK 2021.08 release) or below, your software is affected and we recommend upgrading to the latest YubiHSM 2 SDK.
For users of the YubiHSM 2 SDK without yubihsm-shell, versions 2021.08 and below are affected.
Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM 2 SDK.
An issue was discovered in the yh_com_sign_ssh_certificate() function of libyubihsm in YubiHSM 2 SDK version 2021.08 and earlier. This function is invoked through both the ‘certify’ command in yubihsm-shell, and the “-a sign-ssh-certificate” command-line flag. The function does not correctly validate the input length field of the provided data buffer, which can lead to an out-of-bounds write. In the context of the yubihsm-shell, an out-of-bounds write will lead to a crash of the running process due to runtime protections in Yubico releases.
Binaries and releases from third parties may be impacted differently if different runtime and platform mitigation strategies are used.
Boundary checks have been introduced in other areas of libyubihsm to increase the resilience of the logic that processes data from the YubiHSM.
On September 4, 2021, Christian Reitter notified Yubico of this security issue. We thank Christian Reitter for reporting it and working with us under coordinated vulnerability disclosure.
|September 4, 2021||Christian Reitter reports issue to Yubico|
|December 8, 2021||Yubico releases advisory YSA-2021-04|